Steve Hay just pushed fixes for CVE-2016-1238 to maint-5.22 and maint-5.24 for: https://rt.perl.org/Ticket/Display.html?id=127834 Steve has also just released RCs for 5.22.3 and 5.24.1 carrying these fixes: http://nntp.perl.org/group/perl.perl5.porters/238269 http://nntp.perl.org/group/perl.perl5.porters/238270 The problem relates to Perl 5 ("perl") loading modules from the includes directory array ("@INC") in which the last element is the current directory ("."). For more information, see the RT ticket linked above. While the Perl Security group has attempted to mitigate some of these problems by modifying Perl Modules, it is ultimately the responsibility of the application writer to remove relative paths from @INC to assure the security / consistent behavior of their code regardless of what directory it executes from. The fix is to check if the last entry of @INC is "." and if so, to remove it as an included path. The following line, when added to the top of Perl applications, should mitigate this problem. This assumes your code is not intentionally depending on paths relative to your current working directory: BEGIN { pop @INC if $INC[-1] eq '.' } We would also like to discourage using relative paths in @INC. This problem was first reported by John Lightsey and Todd Rinaldo, courtesy of the cPanel Security Team at cPanel. The CVE is courtesy of Debian. The fix was done by Tony Cook. -- Sawyer X, p5p.Thread Next